diff --git a/manifests/hostcert/gridcert.pp b/manifests/hostcert/gridcert.pp
new file mode 100644
index 0000000000000000000000000000000000000000..4b116286b86e09833ca15dfa5b901ccf36fce3a1
--- /dev/null
+++ b/manifests/hostcert/gridcert.pp
@@ -0,0 +1,21 @@
+# Copyright © 2015-2020 National Supercomputer Centre,
+#                       Linköping University, Sweden
+# Licensed under the GNU LGPL v3+; see the README file for more information.
+
+
+/*
+ * Convenience class for managing the grid host certificate.
+ * This class installs the grid host certificate, from ${fqdn}-cert.pem
+ * and ${fqdn}-key.pem at the source.  Overrides ..::default_absent.
+ *
+ * See x509certs::hostcert::gridcert::manage for details.
+ * See also the classes x509certs::hostcert::gridcert::default_absent
+ * and x509certs::hostcert::gridcert::absent.
+ */
+class x509certs::hostcert::gridcert
+      inherits x509certs::hostcert::gridcert::default_absent
+{
+    X509certs::Hostcert::Gridcert::Manage[$::fqdn] {
+	ensure => 'present',
+    }
+}
diff --git a/manifests/hostcert/gridcert/absent.pp b/manifests/hostcert/gridcert/absent.pp
new file mode 100644
index 0000000000000000000000000000000000000000..9846129783c76cfaf43d59a8ca942eab018f3f61
--- /dev/null
+++ b/manifests/hostcert/gridcert/absent.pp
@@ -0,0 +1,21 @@
+# Copyright © 2015-2020 National Supercomputer Centre,
+#                       Linköping University, Sweden
+# Licensed under the GNU LGPL v3+; see the README file for more information.
+
+
+/*
+ * Convenience class for managing the grid host certificate.
+ * This class makes sure the grid host certificate is absent, overriding
+ * the x509certs::hostcert::gridcert class.
+ *
+ * See x509certs::hostcert::gridcert::manage for details.
+ * See also the classes x509certs::hostcert::gridcert::default_absent
+ * and x509certs::hostcert::gridcert.
+ */
+class x509certs::hostcert::gridcert::absent
+      inherits x509certs::hostcert::gridcert
+{
+    X509certs::Hostcert::Gridcert::Manage[$::fqdn] {
+	ensure => 'absent',
+    }
+}
diff --git a/manifests/hostcert/gridcert/default_absent.pp b/manifests/hostcert/gridcert/default_absent.pp
new file mode 100644
index 0000000000000000000000000000000000000000..b3b2f645098f01337e77a1aafb45bffa33051bac
--- /dev/null
+++ b/manifests/hostcert/gridcert/default_absent.pp
@@ -0,0 +1,21 @@
+# Copyright © 2015-2020 National Supercomputer Centre,
+#                       Linköping University, Sweden
+# Licensed under the GNU LGPL v3+; see the README file for more information.
+
+
+/*
+ * Convenience class for managing the grid host certificate.
+ * This class is useful as a default for nodes, to make sure that the
+ * host certificate is absent by default.
+ *
+ * See x509certs::hostcert::gridcert::manage for details.
+ * See also the classes x509certs::hostcert::gridcert and
+ * x509certs::hostcert::gridcert::absent.
+ */
+class x509certs::hostcert::gridcert::default_absent
+{
+    x509certs::hostcert::gridcert::manage {
+	$::fqdn:
+	    ensure => 'absent';
+    }
+}
diff --git a/manifests/hostcert/gridcert/manage.pp b/manifests/hostcert/gridcert/manage.pp
new file mode 100644
index 0000000000000000000000000000000000000000..b65f47868b3fb56975ed4b6cc10a903987fc3090
--- /dev/null
+++ b/manifests/hostcert/gridcert/manage.pp
@@ -0,0 +1,65 @@
+# Copyright © 2015-2020 National Supercomputer Centre,
+#                       Linköping University, Sweden
+# Licensed under the GNU LGPL v3+; see the README file for more information.
+
+
+/*
+ * Manage a "grid host certificate".
+ *
+ * A grid host certificate is installed in the /etc/grid-security
+ * directory under the name "hostcert.pem" and "hostkey.pem" instead
+ * of in the usual directories.  There is also no provision for having
+ * a CA chain file; CA chains are expected to be managed by installing
+ * CA certificates in /etc/grid-security/certificates, using the
+ * x509certs::gridca definition.  This is how many grid applications,
+ * e.g. dCache or NorduGrid ARC, want their certificates.
+ *
+ * $x509certs::config::hostcert_source is used to find the
+ * certificate and key files, unless overriden by the $source
+ * parameter.  Certificate and key files at the source are expected
+ * to be named "${name}-cert.pem" and "${name}-key.pem".
+ *
+ * Despite being a definition, it really is a singleton.  This is
+ * mostly intended as a helper for the x509certs::hostcert::gridcert
+ * classes below.
+ */
+
+define x509certs::hostcert::gridcert::manage($source='', $ensure='present')
+{
+    include x509certs
+    include x509certs::config
+
+    $sourcebase = $source ? {
+	''	=> $x509certs::config::hostcert_source,
+	default	=> $source
+    }
+
+    case $ensure
+    {
+	'present': {
+	    include x509certs::grid_security_dir
+	    file {
+		"${x509certs::grid_secdir}/hostcert.pem":
+		    source => "${sourcebase}/${name}-cert.pem",
+		    owner => 'root', group => 'root', mode => '0644';
+		"${x509certs::grid_secdir}/hostkey.pem":
+		    source => "${sourcebase}/${name}-key.pem",
+		    owner => 'root', group => 'root', mode => '0400';
+	    }
+	}
+
+	'absent': {
+	    file {
+		"${x509certs::grid_secdir}/hostcert.pem":
+		    ensure => absent;
+		"${x509certs::grid_secdir}/hostkey.pem":
+		    ensure => absent;
+	    }
+	}
+
+	default: {
+	    fail("X509certs::Hostcert::Gridcert[${title}]:",
+		 "Bad parameter ensure, ``${ensure}''")
+	}
+    }
+}
diff --git a/manifests/init.pp b/manifests/init.pp
index 7530ed0be3b9540cbdf46cac105cd9cfebe59cd4..0664d366327c241faca23b71f4a7277a6dcca781 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -3,108 +3,6 @@
 # Licensed under the GNU LGPL v3+; see the README file for more information.
 
 
-
-/*
- * Manage a "grid host certificate".
- *
- * A grid host certificate is installed in the /etc/grid-security
- * directory under the name "hostcert.pem" and "hostkey.pem" instead
- * of in the usual directories.  There is also no provision for having
- * a CA chain file; CA chains are expected to be managed by installing
- * CA certificates in /etc/grid-security/certificates, using the
- * x509certs::gridca definition.  This is how many grid applications,
- * e.g. dCache or NorduGrid ARC, want their certificates.
- *
- * $x509certs::config::hostcert_source is used to find the
- * certificate and key files, unless overriden by the $source
- * parameter.  Certificate and key files at the source are expected
- * to be named "${name}-cert.pem" and "${name}-key.pem".
- *
- * Despite being a definition, it really is a singleton.  This is
- * mostly intended as a helper for the x509certs::hostcert::gridcert
- * classes below.
- */
-
-define x509certs::hostcert::gridcert::manage($source='', $ensure='present')
-{
-    include x509certs
-    include x509certs::config
-
-    $sourcebase = $source ? {
-	''	=> $x509certs::config::hostcert_source,
-	default	=> $source
-    }
-
-    case $ensure
-    {
-	'present': {
-	    include x509certs::grid_security_dir
-	    file {
-		"${x509certs::grid_secdir}/hostcert.pem":
-		    source => "${sourcebase}/${name}-cert.pem",
-		    owner => 'root', group => 'root', mode => '0644';
-		"${x509certs::grid_secdir}/hostkey.pem":
-		    source => "${sourcebase}/${name}-key.pem",
-		    owner => 'root', group => 'root', mode => '0400';
-	    }
-	}
-
-	'absent': {
-	    file {
-		"${x509certs::grid_secdir}/hostcert.pem":
-		    ensure => absent;
-		"${x509certs::grid_secdir}/hostkey.pem":
-		    ensure => absent;
-	    }
-	}
-
-	default: {
-	    fail("X509certs::Hostcert::Gridcert[${title}]:",
-		 "Bad parameter ensure, ``${ensure}''")
-	}
-    }
-}
-
-
-/*
- * Convenience classes for managing the grid host certificate:
- *
- *  - x509certs::hostcert::gridcert::default_absent
- *    Usable as a default for nodes, to make sure the host certificate
- *    is absent by default.
- *
- *  - x509certs::hostcert::gridcert
- *    Install the grid host certificate, from ${fqdn}-cert.pem and
- *    ${fqdn}-key.pem at the source.  Overrides ..::default_absent.
- *
- *  - x509certs::hostcert::gridcert::absent
- *    Make sure the grid host certificate is absent, overriding the
- *    ...::present class.
- *
- * See the x509certs::hostcert::gridcert::manage for information about
- * details.
- */
-
-class x509certs::hostcert::gridcert::default_absent
-{
-    x509certs::hostcert::gridcert::manage { $::fqdn: ensure => 'absent'; }
-}
-
-class x509certs::hostcert::gridcert
-      inherits x509certs::hostcert::gridcert::default_absent
-{
-    X509certs::Hostcert::Gridcert::Manage[$::fqdn] { ensure => 'present', }
-}
-
-class x509certs::hostcert::gridcert::absent
-      inherits x509certs::hostcert::gridcert
-{
-    X509certs::Hostcert::Gridcert::Manage[$::fqdn] { ensure => 'absent', }
-}
-
-
-
-
 /*
  * Directory locations and other constants.
  *